External risk intelligence

Capgo Account Takeover via Cross-Domain SSO Email Assertion in Provision User

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-56223

The vulnerability resides in a user provisioning endpoint of a web-based service that handles SSO authentication. Such identity and account management endpoints are typically exposed as part of the application's external-facing web surface to facilitate user access and organizational account management.

Authentication Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability in Capgo's cross-domain single sign-on feature could allow an attacker with administrative access to merge victim accounts by exploiting email matching without proper authorization checks. This could lead to unauthorized access to user accounts, organizations, and sensitive data.

  • Attackers can take over accounts via SSO.
  • Important for controlling access and data security.
  • Confirm relevance and understand potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker with administrative privileges in an organization using the affected software can leverage a misconfigured Single Sign-On (SSO) setup. By controlling a malicious identity provider, the attacker can craft fake authentication responses that trick the software into merging a victim's account with their own, granting them access to the victim's data and organization.

  • Requires administrator access and control over an identity provider.
  • Triggered by forging SAML assertions with victim email addresses.
  • Risk of unauthorized access to accounts and data.

Live Threat

Current exploitation, exposure, and threat context

Attackers with enterprise organization administrator access and a malicious identity provider could merge arbitrary victim accounts by forging SAML assertions with victim email addresses, granting them full access to victim accounts, organizations, and data. This could occur when the provision-user endpoint does not validate SSO provider domain authorization.

  • Victim accounts and organization data.
  • Forged SAML assertions via malicious IdP.
  • Full account and data takeover.

Operational Fix

Recommended remediation, mitigation, and detection steps

The vulnerability resides in a user provisioning endpoint, impacting how Capgo handles Single Sign-On (SSO) and user account merging. This means application owners and platform teams are likely responsible for identifying and remediating this issue, with potential involvement from security and vendor management teams. The first practical step is to confirm where Capgo is deployed, assess its reachability and business criticality, identify the accountable owner, and then prioritize remediation actions.

  • App and platform teams own the fix.
  • Verify Capgo deployment and reachability.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Capgo?

Capgo is a software platform used for managing mobile app updates and deployments, particularly for cross-platform frameworks. It provides services to help developers push updates directly to users' devices. The vulnerability specifically involves its user provisioning and Single Sign-On (SSO) systems, which are essential for managing organizational access and identity authentication within the platform.

What is the vulnerability in CVE-2026-56223?

This vulnerability is an Improper Authentication (CWE-287) issue. In plain terms, the software fails to properly verify the identity of an SSO provider when merging user accounts. Because the provision-user endpoint trusts email matches without checking if the SSO domain is authorized, it allows an attacker to trick the system into linking a victim's existing account to a malicious one, granting the attacker unauthorized control over the victim's data.

How can an attacker trigger this account takeover?

An attacker must have existing enterprise organization administrator privileges and control over a malicious identity provider. They trigger the bug by sending a forged SAML assertion that claims a victim's email address. This process does not trigger the bug if the SSO integration is correctly configured to validate the origin domain or if the organization does not utilize the affected user provisioning endpoint for account synchronization.

Is my instance affected by this CVE?

According to Halo Surface Signal, this vulnerability affects the external-facing web surface of the application. Because the flaw exists within the SSO user provisioning endpoint, any Capgo instance that exposes these identity and account management functions to the internet is likely relevant. You should prioritize assessing whether your deployment is reachable externally and if it relies on SSO for user management.

What should I do if I use Capgo?

First, verify your current version of Capgo and determine if you are running a version prior to 12.128.2. Identify the team responsible for managing your platform's authentication and SSO configurations. Reach out to them to confirm the deployment's status and prioritize patching to the latest version to ensure proper validation of identity provider assertions.

References